restrict commands that salt-minion is able to publish

Question

configured the salt-stack environment like below:

machine1 -> salt-master

machine2 -> salt-minion

machine3 -> salt-minion

This setup is working for me and I can publish i.e. the command "ls -l /tmp/" from machine2 to machine3 with salt-call publish.publish 'machine3' cmd.run 'ls - /tmp/'

How it's possible to restrict the commands that are able to be published?

In the currently setup it's possible to execute every command on machine3 and that we would be very risky. I was looking in the salt-stack documentation but unfortunately, I didn't find any example how to configure it accordingly.

SOLUTION:

1. on machine1 create file /srv/salt/_modules/testModule.py
2. insert some code like:

#!/usr/bin/python

import subprocess

def test():
     return __salt__['cmd.run']('ls -l /tmp/')

if __name__ == "__main__":
     test()

3. to distribute the new module to the minions run:

   salt '*' saltutil.sync_modules

4. on machine2 run:

   salt-call publish.publish 'machine3' testModule.test

Answer 1

The peer configuration in the salt master config can limit what commands certain minion can publish, e.g.

peer:
  machine2:
    machine1:      
      - test.*
      - cmd.run
    machine3:      
      - test.*
      - disk.usage
      - network.interfaces

This will allow minion machine2 to publish test.* and cmd.run commands.

P.S. Allowing minions to publish cmd.run command is not a good idea generally, just put it here as example.